NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Here is a pre-release version of OSArmor Personal 1.5.9:

    Code:
    https://downloads.osarmor.com/osarmor_personal_1.5.9_test1.exe
    
    This is what's new so far:

    We added many new internal rules to block suspicious process behaviors, we improved/optimized current internal rules, and we introduced a new protection option "Enable paranoid process behavioral detection rules" in the "Lockdown & Experimental" rules. This option is designed mainly for companies/businesses/offices, for home users it may generate some FPs. Would be good if you guys can test (enable) this option to see if you get FPs, and how frequently in case.

    Let me know if you find any issue with this new test build.

    @Influenza

    The FP related to AdGuard installation will not be fixed because there are not enough parameters to make a generalized exclusion. Would be awesome if AdGuard installation process would call directly schtasks.exe so that we can get as parent process AdGuard process and not cmd.exe.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Thanks NVT. Got it and have enabled "Enable paranoid process behavioural detection rules" to test. Will let you know of any FPs.
     
  3. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Right off the bat it blocked Edge from opening. Then weird things started happening in File Explorer, like error messages when trying to retrieve a snip of the issue. I felt this was already too intrusive to try to start excluding and looking for possible rules. It's quite defensive--when I sicced HiBit on it, it invoked self-defense mode--guess I should have exited the UI first. lol. So, I went back to 1.5.8 for now.

    I think Windows 11 is at least partly to blame.

    osa and hibit.PNG
    edge and osa.png
     
  4. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    personal_1.5.9_test1
    Code:
    Process: [6992]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Process MD5 Hash: 943751FFBD2AA02C1C995B3890758E17
    Parent: [10488]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,11901111323790367265,109094432764981353,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2040 /prefetch:2
    Signer: Microsoft Corporation
    Parent Signer: Microsoft Corporation
    User/Domain: ANONYMOUS LOGON/NT AUTHORITY
    System File: False
    Parent System File: False
    Integrity Level: Untrusted
    Parent Integrity Level: Untrusted
    -
    Process: [11496]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Process MD5 Hash: 943751FFBD2AA02C1C995B3890758E17
    Parent: [11120]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,3115939214387591743,17638716929672555041,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1504 /prefetch:2
    Signer: Microsoft Corporation
    Parent Signer: Microsoft Corporation
    User/Domain: bjm/DESKTOP-DELL
    System File: False
    Parent System File: False
    Integrity Level: Low
    Parent Integrity Level: Medium
    -
    Process: [12432]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Process MD5 Hash: 943751FFBD2AA02C1C995B3890758E17
    Parent: [11932]C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4093315322023792818,8711058402445942976,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=5588 /prefetch:2
    Signer: Microsoft Corporation
    Parent Signer: Microsoft Corporation
    User/Domain: bjm/DESKTOP-DELL
    System File: False
    Parent System File: False
    Integrity Level: Low
    Parent Integrity Level: Medium
    
    W10 Home 21H1 (19043.1083)
     
    Last edited: Jul 25, 2021
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Same as @bjm_ :
    Date/Time: 26/07/2021 3:29:39 AM
    Process: [11764]C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    Process MD5 Hash: 0114B3BF0B53DEB5B9C300B2295DD71F
    Parent: [9712]C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNDUuNDkiIHNoZWxsX3ZlcnNpb249IjEuMy4xMTcuMjkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkUzMURCOEEtNERFNy00RjA4LTkxNTktRDNDNjREOEMxMzc3fSIgdXNlcmlkPSJ7MkE4NEE5RkMtQ0M3Ny00QTU0LTlFQUMtMDQwNzE2RUVBOEY1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsyMUU5RjYxNy0zNzY2LTQ0NUQtQkJEQy02MENCMzhCOUNDMjh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMCIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQzLjExMTAiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkFjZXIiIHByb2R1Y3RfbmFtZT0iQXNwaXJlIDU3NDAiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDUuNDkiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1NDUiIGluc3RhbGxkYXRlPSI0NzY3IiBjb2hvcnQ9InJyZkAwLjI2Ij48dXBkYXRlY2hlY2svPjxwaW5nIHJkPSI1MzE5IiBwaW5nX2ZyZXNobmVzcz0ie0JDNDBDRUJGLTc2REQtNEE0QS05NDM1LURFRDY2Q0IxNEFEQ30iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNTUiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjU0NSIgaW5zdGFsbGRhdGU9IjQ3NjciIGNvaG9ydD0icnJmQDAuNTQiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIwIiByZD0iNTMxOSIgcGluZ19mcmVzaG5lc3M9InsxNTc1OUQzMC1CQUIxLTQ0Q0QtQjY3Qy0wQTE1RUFCRTZGRTB9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    Signer: Microsoft Corporation
    Parent Signer: Microsoft Corporation
    User/Domain: SYSTEM/NT AUTHORITY
    System File: False
    Parent System File: False
    Integrity Level: System
    Parent Integrity Level: System
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Same as @plat1098 too. I cannot open Edge, even after disabling "Enable paranoid process behavioural detection rules".

    Going back to 1.5.8.
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Rule: BlockSuspiciousCmdlines #3754 is Main Protections
    png_11340.png
     
  8. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Yes, and thanks for coming up with what I wasn't willing to do. This rule should not apply to Edge browser and to turn the rule off just for that is compromising on security. I don't want to whitelist or exclude Edge either, this rule should only apply to other less trusted processes.
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    personal_1.5.9_test1
    1) I've ignored that Edge notification + Passive Logging.
    2) OSA protection enabled + "Enable paranoid process behavioral detection" enabled. Edge call renders white blank window.
    3) OSA protection enabled + "Enable paranoid process behavioral detection" not enabled. Edge call renders white blank window.
    Edge does not like 1.5.9_test1
     
    Last edited: Jul 25, 2021
  10. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Maybe NVT can dial it back a little from his end. In my opinion, Edge shouldn't be a factor in any OSA rule, even a paranoid one. It's a complex component of Windows now, not an LOLbin or a third party software.
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I feel the same way.
     
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    I run Rule Name: Block execution of Microsoft Edge...not enabled.
     
    Last edited: Jul 25, 2021
  13. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    Hey guys, sorry for the Edge FP, it is fixed now (was related to a specific change in test1 build).

    New build here:

    Code:
    https://downloads.osarmor.com/osarmor_personal_1.5.9_test2.exe
    
    Attaching a screenshot of W11 and Edge:

    win11-2021-07-26-19-28-52.png

    I've removed the "Enable paranoid process behavioral detection rules" option for now.

    Let me know if you find issues with this new build.

    Thanks!
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Installed Test 2 and the Edge bug is indeed fixed. All seems OK here so far but I'll report any bugs if I find any.

    Thanks @novirusthanks . :thumb:
     
  15. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Installed Test 2 and so far so good!:)
    Thanks Andrea
     
  16. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    New build test 3 here:

    Code:
    https://downloads.osarmor.com/osarmor_personal_1.5.9_test3.exe
    
    Added new protection option "Prevent unsigned processes in user space from starting system processes" on "Lockdown & Experimental" section, improved internal rules, added new internal rules to block suspicious process behaviors.

    Let me know if you find issues or FPs.

    Thanks guys :)
     
  17. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,177
    Location:
    Canada
    Just installed, will let you know in case of problems. Thanks:)
     
  18. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    A possible false-positive on start up this morning:

    osafp.PNG

    Windows 11 v. 22000.100/OSArmor 1.5.9
     
  19. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
    @plat1098

    Thanks for reporting it and for including useful details.

    It should be fixed in this new build test 4:

    Code:
    https://downloads.osarmor.com/osarmor_personal_1.5.9_test4.exe
    
    Let me know if you find other issues or FPs.
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Hi NVT,

    You seem to have incredible timing. You know exactly when I've booted my dual-boot machines back in Linux. :D
     
  21. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Hi there. Yes, the SIHClient.exe false-positive did not appear from a cold boot--tested one time. Will continue to monitor.

    If I go to Export my OSA Settings but then cancel out of File Explorer without saving anything, the OSA message box still says "operation completed successfully." Should there be no box at all in that instance?

    It seems it's only your loonWAV or nothing. My custom WAV doesn't play, it's silent when I test w/a fake block. Plus the names of all the WAV files in the NVT folder were messed up after I first installed test 4. They all reverted to the default loon sound while retaining their renamed names like loonold, etc even though they were my custom WAV files..

    If someone could confirm or deny esp. the WAV issue, that would be great. :)

    Edited to modify orig. test (made an error).
     
    Last edited: Aug 2, 2021
  22. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    OK properly Exported settings but unfortunately, still can't get my custom WAV to run audibly. Went back to test 3 and it's still silent. Again, if anyone can confirm or deny this issue, that would be great.

    Edit: did something change when you Export something? I don't recall having to name the Settings file before, but I haven't backed up my OSA Settings recently. Didn't you used to be able to just hit "Save" and OSA would save it with its pre-defined file name?

    Edited to correct some text.
     
    Last edited: Aug 2, 2021
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    as test ~
    File Explorer X Close = Operation completed successfully.
    File Explorer Cancel = Operation completed successfully.
    png_11429.png
     
    Last edited: Aug 2, 2021
  24. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    If you don't save anything though, do you think that box in your spoiler should still appear?
     
  25. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    No
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.